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File Description 



This file contains examples of the generalized quan- 
tum permanent compromise attack to the Blum- 
Micali construction. The examples presented here 
illustrate the attack described in the paper published 
by Guedes et al. in WECIQ 2010 [3]. 

To characterize the Blum-Blum-Shub generator, 
the following references were used: [1, 5, 8, 10] . In 
the case of the Kaliski generator, the references were: 
[2, 6, 8, 10]. The reader should consulte them to see 
more details about these generators. 



1 Blum-Blum-Shub Generator 

Let M be the product of two large primes p and q 
where p = q = 3 mod 4, i.e., M is a Blum prime. 
Define QRm as the quadratic residues modulo M, 
i.e., QRm = (Zm)^ 

Let / : Zm — be the Rabin function, with the 
following definition 



f{x) = mod M 



(1) 



The Blum-Blum-Shub generator (BBS) takes 
following way: 



and iterates the Rabin function in the 



Xi 



xf_-^ mod M 



(2) 
(3) 



where 7j denotes the hard-core predicate for the one- 
way permutation. This hard-core predicate returns 
the j-th bit from the given parameter, where j is 
previously fixed and I < j < n. The value of M 
and j are publicly know and the security of the BBS 
generator relies on the hypothesis of the hardness of 
factoring [5, 8, 10]. 

Suppose that a cryptosystem uses the BBS to pro- 
duce pseudorandom quantities. This generator was 
initialized with the parameters (M = 3-7 = 21, j = 5) 
that are publicly knowiQ. 

Suppose that an adversary of this cryptosystem 
wants to attack the BBS generator. In this scenario, 
suppose that the adversary (i) discovered that the 
following sequence of bits b = 10 was outputted by 
the generator; and, (m) possess a quantum computer 
able to execute the generalized quantum permanent 
compromise attack to the Blum-Micali construction. 

In the next sections, the activities to perform the 
attack successfully will be described. 



^Considering j = 5 represents that the least significant bit 
will be returned by the hard-core predicate. 
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1.1 Attack Setup 

The attack setup comprehend all the steps necessary 
to prepare the quantum algorithm to run. Firstly,the 
adversary needs to prepare the quantum gates that 
will be used in the attack. 

The number of qubits to represent the domain in a 
quantum computer is [log I?] — 5. Since 2 bits where 
discovered by the adversary, 2 qubits will compose 
the second register. In this way, the summarization 
of necessary qubits is: 5 qubits to first register, 2 
qubits to the second register, and 1 qubit as ancillary 
to the amplitude amplification procedure. 

The p gate implements the permutation over QRm, 
that performs the following transformations: 



I a: e QRm) 
\x ^ QRm) 



mod M) 

\x} 



(4) 
(5) 



To facilitate the notation, let lsb{x) be the function 
that, given an integer x, returns the least significant 
bit of X. 

The Sbi gates, where bi represents the associated 
bit produced, have the following definition: 



Sbi \x) 



\x) \y) if lsb{x) — bi and x € QRm 
\x) \y) otherwise 



In summary, it can be said that the gate Jf,. inverts 
the target qubit, when the value of the control qubit 
would have produced the associated bit bi according 
to the hard-core predicate Isb. 

The last step of the attack setup is to determine 
how many Grover's iterations will be necessary. In 
this case, it is expected just a single solution over 
N = [logM] = 5 bits of input, i.e., 32 numbers. So, 
the number of iterations k is given by: 



(6) 



Arranging the gates as suggested by the algorithm, 
the resulting circuit is denoted in the Figure [TJ 



H 



|0> 
|0> 
|0> 
|0> 
|0> 

{ ii> -KZl 



70 



71 



hAo) \i>l) |^2> \tp3) \lp4) \lp5) I'/'e) 

Figure 1: Quantum circuit that implements the 
attack against the BBS generator. 



1.2 Attack Example 

Since the requirements for the attack are prepared, 
the generalized quantum permanent compromise 
attack is ready to be executed. 

The first step is to prepare the four input registers, 
as shown in j-^o) below: 



IV'o) = 100000)100) 1 1) 



(7) 



A superposition of the input is made to represent 
all the domain of the generator. The last qubit is 
also put in superposition because it will be used in 
the amplitude amplification phase: 



31 



1^1 



(8) 



Emphasizing the domain QRm, the state jV'i) can 
be rewritten as: 
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1 /ii, \ 1^4) = 7o|V'3) (15) 



- + + + + + 1 (ID + 17) + 115)) 110)1-) + 

+ |16) + |18))|00)|-)+ \ 

1 31 + -^(|4) + |16))|01)|-) + |9)|00)|-) + 



3,118)111)1-) + 



+ 7^ E H)|oo)l-) (10) 



+ 4^ E K)|oo)l-) (16) 



With the first observed bit 61 = 1, the 5i gate will 
be applied, resulting: important to notice that X2 = {9} and the 

solution is already identified in a quantum level. The 
next step is to simply obtain X3: 

m = Tiiv-i) (11) 

^ :(|l) + |7) + |9) + |15))|10)|-)+ 1^5) = p|^4) (17) 



V32 ^ ^ 

+ ^(|4) + |16) + |18))|00)|-)+ - 7hI^)I^^^|-) + 

1 ^ . + 4s(|l) + |7) + |15))|10)|-) + 



+ 7^ E \i)m\-) (12) 



^ 31 

Up to this point, the algorithm identify Xi = 1 



32 

+ ^(|16) + |4))|01)|-) + |18)|00)|-) 



{1, 7, 9, 15} as the potential candidates to the repre- + "^Tsl ^ 

sentative. It is important to notice that this identifi- i-o,iiQRM 

cation is iust in the quantum level. , . 1 , \ 1 •, , , .. • 1 

■> ^ Ihe state \ip^) can be written as a partition, where 

The Rabin function, implemented by the p gate, ^ n- 
must be applied to the input: 



31 



... m = 4f i9)|ii)i-)+ £ N)i^)i-)(i9) 

IV's) = pIV'2) (13) V32 .J^_^^ 

= 4^(|l) + |7) + |18) + |15))|10)h)+ 1 ,^ , /sr., , 

V32 = ;^IV'xJ + Y^IV'-x,) (20) 

+ ^(|4) + |16) + |9))|00)|-) + 

v32 It should be noticed that = |9) |11) |-) and 

1 |-\inmi-\ l'^^^^) ^ ^^=0.^5^9 K) 1^) l~)- 

^/32 2^ ' ' ' ' ^ ' Considering the geometric representation of this 

i^OMQRM state, then: 

The second bit will be used to determine X2'- IV's) = sin^ I'^a,.) + cos(^) \ip^xi) (21) 
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where sin^ 6* = ^ and G (0)f)) therefore 6 = 
0.17771 radians. 

The next step is to perform fc = 4 Grover itera- 
tions, resulting: 



where the function A has the following definition: 



sin[(2 • fe + 1)61] |Vgood) + 

cos[(2-fc + l)e]|,/,f,„d> 

sin[9- 0.17771] [Vsood) + 

cos[9- 0.17771] IVbad) 

sin(l. 599) \ipgood) + cos(1.599) |V6ad> 



(22) 

(23) 

(24) 
(25) 



A measurement in the second register will return 
9 with probability of |sin(1.599)|^ ^ 0.9996. It 
means that with just two qubits, the representative of 
the BBS generator was correctly retrieved with high 
probabihty. 

This concludes an example of the generahzed quan- 
tum permanent compromise attack against the secu- 
rity of the BBS generator. 



2 Kaliski Generator 

The Kaliski generator is based on the elliptic curve 
discrete logarithm problem. Let p be a prime, p = 
2 mod 3, and consider a curve E{¥p) that consists of 
points {x, y) € Fp X Fp such that: 



y'^ =x^ +c 



(26) 



The points of E{¥p) together with a point at infinity 
O form a cychc additive group of order p + 1. Let 
Q be a generator this group and let (p he a function 
with the following definition: 



HP) 



1 if (1){P) > 2+i 







otherwise 



The domain of the Kaliski generator isV = E{¥p) 
and the seed Pi is a random point on the curve. 

Suppose that a cryptosystem uses the Kaliski gen- 
erator to produce pseudorandom quantities. This 
generator was initiahzed with the parameters p = 5 
and c = 1. Suppose also that an adversary of this 
cryptosystem wants to attack a Kaliski generator. 

In this scenario, suppose that the adversary (i) dis- 
covered that the following sequence of bits b = 10 
was outputted by the generator; and, (ii) possess a 
quantum computer able to excciitc the generalized 
quantum permanent compromise attack to the Blum- 
Micali construction. 

In the next section, details about the Kaliski gen- 
erator under attack will be presented to the reader 
in order to clarify the comprehension about the steps 
of the attack. After that, the attack setup will be 
described, reporting all the gates and number of iter- 
ations required by the attack. To conclude the attack, 
the steps of the quantum algorithm will be detailed. 

3 Details of Initialization of 
the Kaliski Generator Under 
Attack 

In the example of the Kaliski generator used in this 

file, the initialization adopted the parameters p = 5 
and c = 1, resulting in the following equation of the 
curve: 



iiP={x,y) 
if P = 



The Kaliski generator's one-way permutation and 
hard-core predicate are given below: 



m 

hi 



<j>{P)Q 

m 



(27) 
(28) 



y 



1 mod 5 



(29) 



The set of points that satisfy this equation is 
{(4,0), (0,1), (0,4), (2,2), (2,3)}. This set together 
with a point at infinity, denoted by O, characterizes 
the cychc group of order p-|- 1, i.e., the domain of the 
permutation. 

The generator of this group is Q = (2,2) and is 
important to remark that: 
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3.1 Attack Setup 



Q = 


(2,2) 




(30) 


2Q = 


+ = 


= (0,4) 


(31) 


30 = 


20 + 


= (4,0) 


(32) 


40 = 


30 + 


= (0,1) 


(33) 


50 = 


40 + 


= (2,3) 


(34) 


60 = 


50 + 


= o 


(35) 



It is important to notice that kQ, where k is an in- 
teger, does not represent the ordinary multiphcation 
operation. It represents the addition of a point to 
itself in the context of an elliptic curve. More details 
about this operation should be seen in the book of 
Paar and Pelzl (Section 9.1.2 - Group Operations on 
Elliptic Curves) [7] and also in the book of Stallings 
(Section 6.5 - Elliptic Curves Over Finite Fields) [9]. 
The generator of the example has the form: 



P^ 

where the function 



<^>{P^-l)Q 



(36) 
(37) 



has the following definition: 
y if P = (x, y) 



p if p = o 

The function A has the following definition: 



MP) 



1 if <I>{P) > 3 
otherwise 



For this example, the resulting permutation can be 
represented as the functional graph illustrated in the 
Figure H 




Figure 2: Functional graph for the one-way permu- 
tation of the Kaliski generator used in the example. 



The attack setup comprehend all the steps necessary 
to prepare the quantum algorithm to run. Firstly is 
is necessary to determine how many qubits are nec- 
essary as input. 

The number of qubits to represent the domain in 
a quantum computer is [log I?] = [log 6] = 3. Since 
2 bits where discovered by the adversary, 2 qubits 
will be necessary in the third register. In this way, 
the summarization of necessary qubits is: 3 qubits 
to first register, 2 qubits to the second register, and 
1 qubit as ancillary to the amplitude amplification 
procedure. 

Since the points cannot be directly represented in a 
quantum computer, the following representation will 
be used: 

(38) 
(39) 
(40) 
(41) 
(42) 
(43) 

The next step is to to prepare the quantum gates 
that will be used in the attack. The p gate, responsi- 
ble to implement the permutation, performs the fol- 
lowing transformations: 



(4,0) ^ 


|1) 


(0,1) ^ 


|2) 


(0,4) ^ 


|3) 


(2,2) ^ 


|4) 


(2,3) ^ 


|5) 


O = 


|6) 



|o) - 


> |0) 


(44) 


|1> - 


> |6) 


(45) 


|2) - 


> |4) 


(46) 


|3) - 


> |2) 


(47) 


|4) - 


> |3) 


(48) 


|5) - 


> |1> 


(49) 


|6) - 


> |5) 


(50) 


|7) - 


> |7) 


(51) 



It should be noticed that the gate p is unitary, since 
p ■ p^ —1, where I denotes the identity matrix. 

The gate Aq performs the following transforma- 
tions: 
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|0) |c) 


^ |0) |c) 


(52) 


|l>k) 


^ |1) |c) 


(53) 


|2> \c) 


^ |2) |c) 


(54) 


|3) |c> 


^ |3) |c) 


(55) 


|4) |c) 


-> |4) |c) 


(56) 


|5) |c) 


^ |5) |c) 


(57) 


|6) |c) 


^ |6) |c) 


(58) 


|7) |c) 


^ |7) |c) 


(59) 






(60) 



In the case of the Kahski generator, the matrix re- 
presentation of the gates is shown in the Appendix Rl 
The reader can verify that they are unitary by per- 
forming a muhiphcation of each gate to it transpose 
conjugated. 

The number of iterations required by the Grover's 
algorithm is given by: 



= 2 



(61) 



Arranging the gates as suggested by the algorithm, 
the resulting circuit is denoted in the Figure [31 



{ Ii> 



|o) -H 

|o> -r « T 

|o> -i-l H- 

|0> 



\^o) 1^2) |-03> Hi) Hs) 1-06) 

Figure 3: Quantum circuit that implements the 
attack against the Kaliski generator. 



3.2 Attack Example 

The first step describes the initialization of the circuit 
according to each register as shown in the |^o)- 



1^0) - |000) |00) |1) (62) 

It is applied to the first and third registers the 
Hadamard gate, responsible to put the input in an 
equally distributed superposition. The result of the 
application of such gate is shown in the iV'i): 



iV-i) = 



//®^|000)lOO)_f/'|l) 

EN) 100)1-) 



V8 



(|0) 



|7))|00)|-) 



(63) 
(64) 

(65) 
(66) 



At this point, all the states have the same proba- 
bility to be measured. The next step is to perform 
the first phase of the quantum permanent compro- 
mise algorithm, responsible for the identification of 
the representative. The Aq gate associate in the third 
register all the elements of the first one that would 
have produced the bit in the hard-core predicate. 
The result is shown in the IV'2) below: 



1 
1 

71 



(67) 

(|l> + |2> + |4»|10>|-) + 
(|0> + |3> + |5> + |6> + |7» |00> h> (68) 



It is important to notice that up to this 
point the the candidates to the representative are: 
{|1) , |2) , |4)}. Since the algorithm reproduces the 
steps of the Kaliski generator, it is necessary to per- 
form the permutation in all the elements of the do- 
main. This operation is performed by the p gate, as 
shown in the state IV's)- 



PlV'2> 

^(|6> + |4> + |3»|10)|-) 
1 



(69) 



(|0>-l-|2> + |l> + |5> + |7»|00>h> (70) 



The next step is to apply again the gate Aq, that 
will identify the elements that would have produced 
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the second bit. The effect of this gate is reported in 
the IV'4)- 



The next step of the algorithm is to perform k ^ 
Grover's iterations in the state 1^5), resulting: 



»4) 



Ao li's) (71) 
-ig|4>|ll>|-> + -L(|2> + |l))|01>|-> + 



1 

71 



{|6> + |3))|10>|-) + 
(|0> + |5> + |7»|00>|-> 



(72) 



The next step is to perform the application of the 
gate p one more time. It is necessary to identify the 
representant of the internal state X{3). 



m = p\i>4) (73) 

= -^|3>|ll>|-> + -^(|4> + |6»|01>|-> 



^(|5) + |4))|10)|-)- 



V8 



(|0) + |1) + |7))|00)|-) 



(74) 



|^6> = G®2|^^) (78) 
= sin[{2 - k + l)e]\i}^.) + 

+ cos[(2 • fc + 1)6»] 1^/.^^ J (79) 

= sin[5 • 0.361] \ipgood) + 

+ cos[5 • 0.361] l^bad) (80) 

= sin(1.805) IVsood) + cos(1.805) |V6ad) (81) 

At this point, a measurement in the second reg- 
ister would return the state |3) with probability of 
|sin(1.805)|^ = 0.946. With this information the in- 
truder will be able to retrieve all the set X{i) of in- 
ternal states from the generator under attack, endan- 
gering its unpredictability. 

This concludes an example of the generalized quan- 
tum permanent compromise attack against the secu- 
rity of the Kaliski generator. 



After that, it is important to notice that the repre- 
sentative of the internal state X{3) is already iden- 
tified: 1 3). However, a measurement in the second 
register at this point would return any number from 
|0) to 1 7) with the same probability. The next step of 
the algorithm comprehend the amplitude amplifica- 
tion of the element identified as solution. To proceed 
is necessary to consider the following representation 
of the state \tp5): 



= i.|3>|ll>|-) + ^ Yl li>k^ll>(75) 
V 8 V8 j^oj^a 



(76) 



It should be noticed that there's a partition in 
two subspaces:|i/'xi) = |3) |— ) and IV'-.^i) = 

E.Ws \j)\z^n)\-). 

Considering the geometric representation of this 
state, then: 



where sin^ 6 = 
radians. 



= sm9\tl)xi) + cos{e) Itjj^xi) 
i and 6» e (O, f ), therefore 9 



(77) 
0.361 



4 Final Remarks 

The examples illustrated in this file show how to en- 
danger the security of the generators BBS and Kaliski 
from the Blum-Micali Construction. This cmdan- 
gering is made by a quantum permanent compromise 
attack and the consequence is that an adversary is 
capable to reproduce all the previous and future out- 
puts of the generator. 

The quantum attack is based on Amplitude Ampli- 
fication, a generalization of Crover's quantum search. 
This attack provides a quadratic speedup over the 
classical analogous algorithm. For more details about 
the quantum attack, the reader is reported to the pa- 
pers of Guedes et al. [3, 4]. 
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A Matrix Representation of 
the Gates 



p = 



1 
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